Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Serverless Security Workshop

Danilo Poccia
July 12, 2019
Programming
7
1.3k

Serverless Security Workshop

ServerlessDays London, July 12th, 2019

In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. We will cover AWS services and features you can leverage to improve the security of a serverless applications in 5 domains: identity & access management, infrastructure, data, code, logging & monitoring.

You'll start by deploying a simple serverless application. However, this application is not very secure, and we need your help to implement measures to protect this serverless API from attackers. By following different modules covering various aspects of security, you will help improve the security of the application.

The content for the workshop is available online:

https://github.com/aws-samples/aws-serverless-security-workshop

Danilo Poccia

July 12, 2019
Tweet

More Decks by Danilo Poccia

See All by Danilo Poccia
A journey from complexity to observability
danilop
1
64
From complexity to observability using OpenTelemetry
danilop
1
470
re:Invent 2021 re:Cap – Part II
danilop
0
290
Using container images with serverless functions... and containers!
danilop
0
400
What Can You Do with Serverless – In 2021
danilop
1
970
How LEGO.com accelerates innovation with serverless
danilop
1
690
Analyzing data at any scale with AWS Lambda
danilop
0
620
What Can You Do with Serverless – In 2021
danilop
1
1.2k
Sowing the Seeds of Software Development: What Can You Do with Serverless – In 2021!
danilop
0
490

Other Decks in Programming

See All in Programming
A JVM Threading Model for the containerized times
lhespanha
0
1k
どうするLeSS - スクラムフェス三河2023.9.16
stanby_inc
1
210
第2回 AWSとGitHub勉強会 - CodespacesとHelidonの利用 -
ogiwarat
0
170
締切とはなにか、どういう効果があるのか #scrummikawa
murabayashi
0
370
VSCodeから一発でProxymanを起動する
kumamotone
0
120
4 Patterns to Jumpstart your Event-Driven Architecture Journey @ Current 2023, San Jose California
hpgrahsl
0
210
_アニメーション抜き__MVIに基づくStateMachineアーキテクチャ_KMPとJetpack_ComposeとSwiftUIを組み合わせる.pdf
gmvalentino8
5
700
安易に前職同僚飲み会に行ったら 売り上げのほぼないスタートアップに入社してた話
yamotuki
0
110
A sighting of sequence function in Practical FP in Scala
philipschwarz
PRO
0
110
Building Shared UIs across Platforms with Compose
heyitsmohit
1
170
iOSアプリ開発における効果的なUnitTestの戦略とその実装
mot_techtalk
1
230
まず Container より始めよ
honey32
10
4.5k

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Raft: Consensus for Rubyists
vanstee
130
5.9k
Atom: Resistance is Futile
akmur
257
24k
Faster Mobile Websites
deanohume
296
29k
Being A Developer After 40
akosma
52
580k
The Pragmatic Product Professional
lauravandoore
23
4k
Product Roadmaps are Hard
iamctodd
42
8.7k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
12
5.7k
Building Effective Engineering Teams - LeadDev
addyosmani
21
960
KATA
mclloyd
13
11k
Testing 201, or: Great Expectations
jmmastey
26
6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Serverless Security Workshop
    Danilo Poccia, Principal Evangelist @danilop
    James Beswick, Senior Developer Advocate @jbesw
    Heitor Lessa, Specialist Solutions Architect @heitor_lessa
    Simon Thulbourn, Specialist Solutions Architect @sthulb
    S e r v e r l e s s D a y s L o n d o n 2 0 1 9 . 0 7 . 1 2

    View Slide

  2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Agenda
    • Serverless security – is it different?
    • Security domains for serverless applications
    • Workshop scenario
    • How to secure serverless applications
    • Hands-on

    View Slide

  3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Sample architecture for serverless API endpoint
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon
    DynamoDB
    Amazon
    RDS
    Users
    Amazon Cognito

    View Slide

  4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Sample architecture for serverless web app
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon
    DynamoDB
    Amazon
    RDS
    Users
    Amazon
    CloudFront
    Amazon S3
    Amazon Cognito

    View Slide

  5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    How is serverless security different?
    Different:
    • Reduced scope
    • Ephemeral environment
    • More events can trigger your AWS Lambda
    • Old techniques might not be relevant
    But still…
    • Need to secure databases, S3 buckets, etc.
    • Need to secure your code.
    • Need to use minimum privilege access.
    • Need to monitor usage and data flow.
    https://www.protego.io/ebook/

    View Slide

  6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View Slide

  7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Domains of security for (serverless) applications
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View Slide

  8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    OWASP 2017- Top 10 Web Application Security Risks
    Rank Security risks
    1 Injection
    2 Broken Authentication
    3 Sensitive Data Exposure
    4 XML External Entities (XXE)
    5 Broken Access Control
    6 Security Misconfiguration
    7 Cross-Site Scripting (XSS)
    8 Insecure Deserialization
    9 Using Components with Known
    Vulnerabilities
    10 Insufficient Logging & Monitoring
    https://www.owasp.org
    • Exploitability
    • Prevalence
    • Detectability
    • Technical impact

    View Slide

  9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    OWASP Top 10 mapped to security domains
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring
    • Broken Authentication(#2)
    • Broken Access Control (#5)
    • Injection (#1)
    • XXE (#4)
    • XSS (#7)
    • Insecure Deserialization (#8)
    • Using Components with Known
    Vulnerabilities (#9)
    • Sensitive Data Exposure (#3)
    • Using Components with Known
    Vulnerabilities (#9)
    • Security Misconfiguration (#6)
    • Insufficient Logging &
    Monitoring (#10)

    View Slide

  10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View Slide

  11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Scenario: Wild Rydes (www.wildrydes.com)

    View Slide

  12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    3rd party functionality– unicorn customization
    Visit beautiful
    Unicornpolis!
    Sock image Credit: Freepik from www.flaticon.com

    View Slide

  13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    List customization options and prices:
    GET /capes
    GET /glasses
    GET /horns
    GET /socks
    3rd party API: Unicorn customization
    Image Credit:
    Smashicons, Freepik, from www.flaticon.com
    johnny_automatic from www.openclipart.org

    View Slide

  14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    3rd party API: Unicorn customization
    Create and manage customizations
    POST /customizations
    GET /customizations
    GET /customizations/{id}
    DELETE /customizations/{id}

    View Slide

  15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Admin API: register 3rd party partners
    Register new partners
    POST /partners

    View Slide

  16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop architecture – starting point
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon
    RDS
    3rd party
    Not secure!

    View Slide

  17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Your task: secure the application against attackers!
    Image Credit:
    pongsakornred, Freepik from www.flaticon.com

    View Slide

  18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop
    Link to the workshop: https://amzn.to/serverless-security
    Module 0 mandatory
    Module 1-8: Pick your own battle!
    Infrastructure
    Data
    Code
    Identity &
    Access Logging &
    Monitoring
    Module 1:
    auth
    Module 2:
    Secrects
    Module 8:
    X-Ray
    Module 4:
    Encryption
    in transit
    Module 5:
    usage plans
    Module 6:
    WAF
    Module 3:
    input
    validation
    Module 7:
    dependency
    vulnerability

    View Slide

  19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

    View Slide

  20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Identity and access management for serverless applications
    • Authenticate and authorize end-
    users/clients
    • Access between backend services
    (e.g. AWS Lambda to DynamoDB
    tables)
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View Slide

  21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Identity and access management for serverless applications
    Access control between
    services
    Authenticate & authorize end-users/clients

    View Slide

  22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop module 1: OAuth Client Credentials Flow
    Client
    Authorization
    server
    Resource
    server
    Client credentials
    (ClientID + Client Secret)
    Access token
    Call protected resource with access token
    protected resource response
    Resource
    server
    Authorization
    server
    Client

    View Slide

  23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop module 1: add authentication
    Amazon API
    Gateway AWS
    Lambda
    Amazon RDS
    (Aurora MySQL)
    3rd party
    Amazon Cognito
    Client
    authentication
    AWS Lambda
    (Custom authorizer)
    Verify access
    token and scope
    Amazon DynamoDB
    (Mapping ClientID ->
    backend companyID)
    Download public key
    to validate token
    OWASP #2: Broken Authentication
    OWASP #5: Broken Access Control

    View Slide

  24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop module 1: add authentication
    Amazon Cognito
    Admin App client:
    • Client ID: ZZZ
    • Client Secret
    Company bar app client:
    • Client ID: YYY
    • Client Secret
    Company foo app client:
    • Client ID: XXX
    • Client Secret
    Amazon Aurora
    Company table
    ID Name
    1 Foo
    2 Bar

    Mapping table
    ClientID BackendID
    XXX 1
    YYY 2
    Amazon DynamoDB

    View Slide

  25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing code for serverless applications
    • Input validation
    • Dependency vulnerabilities
    • Secrets in source code
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View Slide

  26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing code for serverless applications
    Input validation Storing secrets
    • AWS WAF:
    • XSS Rules
    • SQL injection rules
    • AWS Secrets Manager
    • Systems Manager
    Dependency vulnerabilities

    View Slide

  27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 2: Secret Manager
    Amazon API
    Gateway AWS
    Lambda
    Amazon RDS
    (Aurora MySQL)
    3rd party
    AWS Secrets
    Manager
    CloudFormation
    Secret Rotation
    OWASP #3: Sensitive Data Exposure

    View Slide

  28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 3: Input Validation
    Amazon API
    Gateway
    3rd party
    AWS
    Lambda
    {
    ”unexpectedAttr":"1",
    }
    Request body
    {
    ”name":”AwesomeUnicorn",
    "imageUrl": "http://this.jpg",
    "sock": "1",
    "horn": "1",
    "glasses": "1",
    "cape": "1"
    }
    /customizations
    POST
    • OWASP #1: Injection
    • OWASP #8: Insecure Deserialization

    View Slide

  29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 7: Dependency Vulnerability
    • Check for vulnerabilities on
    our dependencies
    • OWASP Dependency Check:
    https://www.owasp.org/index.php/O
    WASP_Dependency_Check
    • Third party tools
    • Remove unused dependencies
    • depcheck:
    https://www.npmjs.com/package/de
    pcheck
    http://npm.anvaka.com/#/view/2d/request
    • OWASP #9: Using Components with
    Known Vulnerabilities

    View Slide

  30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing data for serverless applications
    Your responsibility:
    • Data Classification and Data Flow
    • Tokenization
    • Encryption at rest
    • Encryption in transit
    • Data Backup/Replication/Recovery
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring
    Managed backups/
    encryption

    View Slide

  31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing data for serverless applications
    Data Classification Data backup/Replication
    Data Encryption at rest
    Data Flow
    Data Encryption in transit
    Data Tokenization

    View Slide

  32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 4: encryption in transit
    Amazon API
    Gateway
    AWS
    Lambda
    Amazon RDS
    (Aurora MySQL)
    3rd party
    {
    host: ”database.host.com",
    user: "admin",
    password: ”xxxxxxx",
    database: "unicorn_customization",
    ssl: "Amazon RDS"
    }
    {
    host: ”database.host.com",
    user: "admin",
    password: ”xxxxxxxxx",
    database: "unicorn_customization"
    }
    OWASP #3: Sensitive Data Exposure

    View Slide

  33. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing infrastructure for serverless applications
    Your responsibility:
    • DDOS protection
    • Throttling/ Rate limiting
    • Network boundaries
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View Slide

  34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Securing infrastructure for serverless applications
    DDOS protection + Throttling/ Rate limiting Network boundaries
    • AWS WAF:
    • Geoblocking
    • IP reputation lists
    • Rate-based rules
    • Size constraint

    View Slide

  35. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 5: Usage Plans
    Amazon API Gateway AWS
    Lambda
    Amazon
    RDS
    3rd party
    AWS Lambda
    (Custom authorizer)
    + API key
    + API key

    View Slide

  36. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 6: WAF
    AWS
    Lambda
    3rd party Amazon
    API Gateway
    AWS WAF Amazon
    RDS

    View Slide

  37. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Logging & monitoring for serverless applications
    • Application logs
    • Access logs
    • Control plane audit logs
    • Metrics
    • Alarms
    • Compliance validation
    Infrastructure
    Data
    Code
    Identity
    & Access
    Logging &
    Monitoring

    View Slide

  38. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Logging & monitoring for serverless applications
    Logging and tracing Metrics Compliance validation

    View Slide

  39. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Module 8: X-Ray OWASP #10: Insufficient Logging &
    Monitoring

    View Slide

  40. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    Workshop
    Link to the workshop: https://amzn.to/serverless-security
    Module 0 mandatory
    Module 1-8: Pick your own battle!
    Infrastructure
    Data
    Code
    Identity &
    Access Logging &
    Monitoring
    Module 1:
    auth
    Module 2:
    Secrects
    Module 8:
    X-Ray
    Module 4:
    Encryption
    in transit
    Module 5:
    usage plans
    Module 6:
    WAF
    Module 3:
    input
    validation
    Module 7:
    dependency
    vulnerability

    View Slide

  41. Thank you!
    © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
    @danilop

    View Slide